Pages

Friday, 8 December 2017

Podcast Interview With Andy Robbins, Rohan Vazarkar, SpecterOps

Here's another fantastic Neo4j Graphistania podcast episode for you. I had a brilliant chat with two guys in the US who have built a superb tool and written a bunch of articles about a topic that is very dear to my heart. I spent 10+ years working in the security industry, working on Identity and Access Management projects. And in that world, one of the most common problems is for people to misconfigure/mismanage their AD / LDAP server settings, and therefore get into a lot of security trouble because they just could not see through some of this stuff. Andy Robbins and Rohan Vazarkar (which I smilingly mispronounced as "the bezerker" :) ) did some amazing work on this, using Neo4j, and that's why we wanted to have a chat about this.

Here's the recording:

Here's the transcript of our conversation:

RVB: 00:00:03.538 Hello everyone. My name is Rik, Rik van Bruggen from Neo4J and here I am again recording another Graphistania podcast, and this time I have two lovely gentlemen on the other side of this Skype call. One is Andy Robbins and the other is Rohan Vazarkar, and these guys have been on my radar for a very long time because they have been developing some fascinating stuff around Neo4J. Welcome Andy. Welcome Rohan.

AR: 00:00:29.795 Thank you.

RV: 00:00:30.824 Thanks for having us.

RVB: 00:00:31.888 Yeah. Thanks for coming on. Guys, I've been a fan of your work for a long time but I'd love for you to introduce yourself to our audience. Maybe Andy, you can start first?

AR: 00:00:45.578 Sure, yeah. My name is Andy Robbins. My official title is adversary resilience lead at SpecterOps, which is a US based information security consultancy specializing in pen testing, red teaming, and other adversarial work. I come from a pen test-heavy background, initially cutting my teeth on breaking into banks and credit unions and trying to figure out how to steal money from them, which is a lot of fun. And then before that, just basic IT and break/fix career which led me here.

RVB: 00:01:19.503 Very cool. What about you, Rohan?

RV: 00:01:22.500 Well, name's Rohan Vazarkar and I'm Andrew's lackey - that's how I'm going to put it [laughter]. He's the adversary resilience lead, I'm just an adversary resilience operator. My background, pretty much, I've only been in the industry about three years, and I started just doing just generic pen testing on anything and everything that I could, so. I'm not quite as in-depth as Andy over here.

RVB: 00:01:49.624 Okay, okay. Well, you guys, I've been following you work mostly around the BloodHound tool, which you absolutely have to tell us a little bit more about. And there's a third musketeer, right, that is not on this call, that was part of the development of BloodHound, but maybe you could introduce that third muskateer and BloodHound in the same go?

AR: 00:02:12.224 Yeah. So first let me talk about Will Schroeder, the third leg of the BloodHound team. Will has been doing red teaming and then offensive engineering for a long time. Will is very well known in our industry for all of the tools that he has put out, namely PowerView, which is now part of PowerSploit, the Empire tool set, which he co-created with Matt Nelson and Justin Warner, and then, of course, BloodHound as well. Will played and continues to play a critical part in the development of BloodHound. PowerView, which Will is best known for, is an Active Directory situational awareness framework. It uses PowerShell V2 compliant commandlets to gather information from Active Directory that an attacker can use to figure out kind of the lay of the land, so who are the local admins, some places, where are people logged on, what are the security group memberships, what are the access control entries on securable objects. All of this critical information that Will put, and continues to put a lot of really hard work into creating. So the BloodHound project really wouldn't exist without Will's work, with PowerView in particular. And so, let me talk a little bit about BloodHound itself. What it is. Why we created it. So--

RVB: 00:03:55.944 That would be great.

AR: 00:03:56.454 --Rohan and I, and Will, and the rest of our team, we do penetration testing, red teaming, and we also do a defensive of work in the form of hunt operations. But with pen testing and red teaming in particular, PowerView really changed the game as far as what kind of insight we have into Active Directory, into Windows systems that are joined to Active Directory, etc., so we could build out a map of the domain trusts, we can figure out where people are logged on. We can figure out the security [memerships?], and we could do all of this by default with just domain user-level privileges. So we don't need any kind of privilege to access to gather all that information. Now, as penetration testers, we found ourselves in a very common pattern where we would land on a system, say, through a phishing attack. And the user that we land as, or the user who's using that computer that we land on, has some kind of privilege, like they're local admin somewhere, or maybe they have local admin rights on their own system. But if we can get local admin rights on a system where somebody else is logged on, we can use built-in windows functionality to get access to that other system, and have our trojan or, our RAT, or whatever you want to call it, zombie agent, on that other system. And then through either token impersonation, or token theft, or through what I always call the miracle of meme cats, we can just get the plain text password for that user that's on the other system. And then we kind of start this process of what's called the derivative local admin attack, or an identity snowball attack, where we go to system, we steal someone's password, and then now we have more or a wider scope of systems that we now have admin rights, too. And so when we go through this process of repeating this over, and over, and over, until finally we have local admin rights on a system where a domain admin has logged on. Now--

RVB: 00:06:15.315 [crosstalk]. So that's like hopping from one machine, to a machine, to a user, to a machine. You're hoping along the network. Is that a fair statement?

AR: 00:06:24.037 Yeah. Yeah, that's exactly right. Yeah. We were building out and we were discovering these attack paths as we discover who's logged on in different machines, and as we discover what local admin rights our new credentials give us in the network. So--

RVB: 00:06:40.564 So if I understand you correctly, so BloodHound is like a set of tools that do this analysis for you, and it finds this web of attack paths, and it allows you to kind of structure it and analyze it. Is that what I'm hearing?

AR: 00:06:59.094 Yeah, that's exactly right. So PowerView gives us the ability to collect all that information, and then we all kind of-- we fantasized about some kind of solution that would analyze that data for us and tell us exactly what to do to get domain admin local rights. And so I was having lunch one day with my friend Sam Briesemeister, and I'm explaining the problem to him. And he says, "Wait a minute, wait a minute. This is Graph Theory 101 stuff. This is like day one computer science." So he's like, "I got you." And [inaudible] gives me crash course and graph theory. And that's when Rohan and I-- we took a step back, we said, "All right. This looks like a really good solution. Let's figure out what graph technology, what graph rendering framework or library we want to use, and let's actually build this out." And the end result was BloodHound, which, exactly as you said, it gives a pen tester a very simple interface in a very simple data collection methodology that they just put all the data into BloodHound. They say, "Give me a path from this computer to domain admins," or from anywhere to anywhere else. And if that path exists, then the BloodHound interface will present it to the user. So that process that we used to spend days, or sometimes even weeks doing manually, we can now do in minutes with data collection and running the queries through Neo4j.

RVB: 00:08:33.589 And in that way the-- I guess the Microsoft system administrators, they can also come up with better defense strategies, right?

AR: 00:08:45.946 Definitely yeah. They can do the same thing we are doing and find all those attack paths and then, instead of abusing them, they can start to shut them down, or they can at least have a chance at understanding the very complex nature of security group nestings and local admin privileges in Active Directory.

RVB: 00:09:04.477 I saw this one quote in one of your presentations by John Lambert, the [laughter] Microsoft guy. "Defenders think in lists, attackers think in graphs. And as long as this is true, attackers will win[laughter]." Right? That's it, then?

RV: 00:09:25.663 I was just laughing. That's [laughter] one of my favorite quotes.

RVB: 00:09:28.828 It's a fantastic quote.

AR: 00:09:29.381 Yeah, that quote, it finds its way into all of our talks, and then now into our very first podcast, too [laughter].

RVB: 00:09:36.607 Fantastic. Hey guys, and so the second question I kind of always ask people is, well, why graphs? Why did you want to use a graph for solving this? Was it really just the fact that you were trying to solve something that was taking weeks and you thought it was going to be so much simpler, or--? What was the main attraction for you guys?

RV: 00:10:03.978 I think I would say that we considered a lot of different solutions to the problem and out of everything we looked at, graphs definitely fit the bill better than anything else. I mean, the speed at which you can do analysis on graphs just blows away almost anything else that we could find. I mean, not to mention they are really fun to look at, and they demonstrate concepts in a way that we never could properly explain before. Andy was talking earlier about how we jumped from system, to system, to system, and one of the hardest things we had to deal with was during our clients out-briefs, explaining to clients exactly what we were talking about when we were talking about going from one node to another node. Having a graph that we could show them and say, "This is the path we took. We run from this user, to this computer, to this group" and so on, and so forth. It makes the information a lot easier to digest, not only for us but for our clients as well. I don't think there's anything that would've given us the same impact as using graphs, like we do with Neo4j right now.

RVB: 00:11:15.421 Super. So Its a combination of just a good fit for the graph model I guess, and at the same time also being able to query it so quickly that you can actually do a lot more analysis on it, I guess?

RV: 00:11:28.387 Yep, absolutely.

RVB: 00:11:29.835 Yeah. Very, very cool. I mean this is a topic that's-- I told you guys about this earlier. This is a topic that's so dear to my heart, because I spent 10 years trying to convince people to clean up their active [laughter] directories. And it feels like this is a great fit for some of those tasks, so I recommend people to take a look at it. So guys final topic here, what's next? Where do you guys want to go next with BloodHound, but also where do you see the wonderful world of graphs heading and potentially intersecting with the security industry? Any perspectives on that?

RV: 00:12:11.843 I'll let you take this one, Andy.

AR: 00:12:12.211 Well-- yeah. So I think, in general, as far as the opportunity in information security, there's a lot of very complex problems that still need to be solved in the information security space. One of the things I'm most proud of with BloodHound is that we were able to take this very complex problem, or this very complex pen test or red team methodology, and kind of democratize it, so to say. So we put that very-- well, we put that relatively advanced tactic into the hands of every pen tester that is interested in looking at the tool. And so I think for me, what that lets the client organizations of those pen test firms do is really understand how big of a problem that actually is. And so there are other opportunities, I think, that are ripe for the solving. In particular, I think network segregation and isolation is a big one that graphs can really help with. I also think that host-based privilege analysis can also be very interesting to look at. So some of our guys, Will Schroeder again, and Lee Christensen, and Matt Nelson, they started looking at host-based access control entries on securable objects and how those can be abused for persistence, and then also privilege escalation. I think adding a graph on top of that could really cause an awakening, as far as what a situation with privileges from a local perspective look like in reality.

AR: 00:14:00.973 And then for the project, there are a lot of very exciting things that we have planned for the project. Most importantly, again, Will Schroeder kind of led the effort as far as understanding how Active Directory group policy affects objects. So it's a fairly complex topic, maybe a little bit too complex to talk about right now. But the bottom line is if we, as an attacker, can get some kind of privilege over a group policy, then there is a 1,001 ways that we can push group policy down to the resulting objects, be they users or computers, to take over those objects. So Will has already figured out the logic for how that all works from an Active Directory perspective. And he also knows how to take all the information out of Active Directory and put it into a format that can be ingested in the Neo4j.

AR: 00:14:57.735 And then, Rohan and I are working on how to actually implement that into the interface. So from a graph perspective, it gets very interesting, because for the first time, we're going to be putting in node properties and edge properties that are going to require filtered path searching. And so that will be a new part of the project. That is a good challenge, and I think it's going to be very effective for finding new attack path opportunities in Active Directory. And then, I think Rohan should probably talk about a recent update to the project that's been kind of a game changer which is the new ingester. So I'll let Rohan talk about that.

RVB: 00:15:45.902 Yes, please.

RV: 00:15:46.222 Yeah. So one of the interesting problems we used to run into-- and this is no fault of Will's whatsoever, this was kind of a limitation of the language we were using. As someone as familiar with PowerView as you are, you know that it's basically just a big PowerShell script. And PowerShell, as wonderful a language as it is, has some limitations when it comes to threading and concurrent operations, that made it really difficult for us to scale our project effectively. So recently we took the liberty of rewriting the entire collection into C#, where we could take advantage of more threading and a lot more, I guess, efficient methods of data collection. So we did this over the past, I want to say, about three months. And as a result of it, the scale at which we can collect data has increased significantly. There were environments that were way too big for us to collect with the PowerShell ingester. We had people telling us that they were running collection on a system with 80 gigs of RAM, and they were running out [laughter], which is never a good thing to hear. With the new one--

RVB: 00:17:14.222 That's almost like a big, big job, that rewrite, actually.

RV: 00:17:18.400 It was a big undertaking. It was worth it in the end, though. We've had people tell us they've done collection in networks that have a million-plus computers. And they've successfully completed it and put all that data into Neo4j, which also handles it like a champ. So that was a--

RVB: 00:17:37.825 [inaudible] [laughter].

RV: 00:17:38.813 --yeah. That was really, really great information to have. Scale was always going to be an issue for us, so solving that issue was a pretty big deal, at least, in our industry.

RVB: 00:17:49.994 Super. Hey, Rohan and Andy, as you know, I try to keep these podcasts a little bit digestible and short. So I think we should probably wrap it up. But I'm also going to get this podcast episode transcribed, so we'll include a bunch of links to any other material that you want to share with our communities. So that's definitely something we will do. For now, I'd like to thank you so much for not just being on the podcast, but also for the fantastic work on BloodHound. I mean, I know the security domain a little bit, and I know how vulnerable many companies are because of their crappy ADs [laughter]. So I think I'd like to thank you guys on multiple fronts there, but especially, also for coming online and doing this recording with me. I really appreciate it.

AR: 00:18:49.058 Thank you very much.

RVB: 00:18:50.806 Thanks guys. And I hope to see you again at one of the Neo4j conferences someday. That would be great.

AR: 00:18:58.198 Yeah. That'd be awesome. We should thank Michael Hunger, and Max De Marzi, and all the other Neo4j staff for supporting us. They gave us a lot of help in the Slack channel and continue to help us through that, and Twitter, and stuff. So thank you very much, to them.

RVB: 00:19:13.790 Great. All right guys. Have a nice rest of your day and a fantastic holiday. Right?